Comments for The Speech Dudeshttps://speechdudes.wordpress.com
The Edgy Side of Speech Pathology; sharp, profane, but never dullTue, 24 Feb 2015 19:12:50 +0000hourly1http://wordpress.com/Comment on Stop With the “Change Your Password” Ritual by Etymanhttps://speechdudes.wordpress.com/2015/02/21/stop-with-the-change-your-password-ritual/#comment-2656
Tue, 24 Feb 2015 19:12:50 +0000http://speechdudes.wordpress.com/?p=1958#comment-2656Thanks for that reminder, Mark! Yes, sometimes part of the process is to provide that “quick check” that you’re at the right site and not amazoon.com, where an extra letter can mean the difference between your booked being delivered or you ass being handed to you! As I mentioned in the LessonPix reply, I’m focusing on my reactions as a user, where I am faced with having to retain different pieces of information, and the picture is an example of one more piece of data I have to attend to. It may well be that a picture seems easier to recognize than a password is recalled but it still represents a “data chunk” that gets added to my (or any user’s) load. I understand that it offers extras security but as the number of different passwords, pictures, and personal security phrases increases, so does the difficulty to remember them. Hence many folks keep lists of passwords, or use the same ones over and over. But thanks for reminded us – and our readers – that security can take more forms than just a password.
]]>Comment on Stop With the “Change Your Password” Ritual by Etymanhttps://speechdudes.wordpress.com/2015/02/21/stop-with-the-change-your-password-ritual/#comment-2655
Tue, 24 Feb 2015 19:05:04 +0000http://speechdudes.wordpress.com/?p=1958#comment-2655Thanks for the detailed explanation of how hashing works and how to choose a good password – that’s useful for folks to take to heart and given that we’re all stuck with passwords, then having one that’s closer to the “impenetrable” end of the scale than “this really isn’t a password” end. And it’s good to know that 90% of the time passwords are not being stored. I guess my beef is, and you did, of course, highlight that right up front, with the user experience and the seeming over-reliance on me (and others) having to take on the cognitive load. And as the user, knowing my passwords are not just sitting there as snippets of text might offer some comfort, but the experience of having to change a password three times in a year, or being unable to use any of my previous 9 passwords is still existentially a pain. Studies have shown over and over that folks choose “easy” passwords not because they are stupid but they are human and their memories are fallible. The folks at Consumer Reports took a survey in 2012 where they said that over 50% of folks have more than 6 password-protected accounts online, that 32% use a personal reference in their password, that 20% use the same password for up to five of their accounts, and almost 25% keep physical lists to remind them. And in an article in ComputerWorld (which was one of a few that prompted the rant), the author writes that “Passwords have been dead for years. Security experts have been advocating the need for companies to raise the bar on user authentication for a long time.”

So my irritation at the level of consumer, not programmer. If there were a way for me to have one password and a second method of authentication method I could use across accounts, that would be splendid. However, that’s in the hands of developers, and I’m sure folks are working on this (bio-metrics, etc.) I’ve had the same pin code for ATM access for 30 years and so far that’s worked out fine. Of course, there’s an inherent 2-factor element; card plus pin, and probably some clever behind-the-scenes monitoring to check I don’t draw out $200 fifteen times in an hour.

I’ve added you suggested reading to my Amazon wish list. I’d also suggest, if I dare, that you might a stand-alone blog post on passwords and password security, above and beyond what you mention above. Passwords may be “dying,” as some articles suggest, but until their eventual demise, any specific advice on how best to balance security with “dear Lord not another password!” would be brilliant. Maybe even a guest blog (something we’ve not done yet but always had on the books)?

Keep on reading, and keep us on our toes!

]]>Comment on Stop With the “Change Your Password” Ritual by Mark A. Durhamhttps://speechdudes.wordpress.com/2015/02/21/stop-with-the-change-your-password-ritual/#comment-2653
Tue, 24 Feb 2015 02:21:27 +0000http://speechdudes.wordpress.com/?p=1958#comment-2653The “stupid picture” is there to protect you from copycat “phishing” sites. It is supposed to authenticate the site to you, not you to the site.
]]>Comment on Stop With the “Change Your Password” Ritual by LessonPix (@lessonpix)https://speechdudes.wordpress.com/2015/02/21/stop-with-the-change-your-password-ritual/#comment-2652
Mon, 23 Feb 2015 04:17:14 +0000http://speechdudes.wordpress.com/?p=1958#comment-2652Alright Dudes, I love you guys and there’s nobody I’d trust more on Speech and Linguistics. But there’s lots wrong with this post!

Before I trash it, let me say I agree with the core premise: identity management is a huge cluster, and placing more onus on the end-user is a big problem.

However, you’ve got a core fact wrong, and it really leads to lots of statements (made with authority – kudos) that are quite false. That core fact is this: 90%+ of the sites you log into never actually store your password. And 0% of those with a “list of your past 10” store them at all.

Let me explain. Web sites (like ours & every other one that matters) don’t store the password, they store a “one-way hash” of the password. I know this is a little technical, but hear me out: it matters.

In vary layman’s terms, one-way hashes take a piece of text (your password) and run an algorithm to “scramble” it. That algorithm can’t be undone. So you can never take the result of the scramble (the “hash”) and get back your password. BUT, if you use the same one-time hash again on your password, you’ll get the same scrambled version.

Here’s a walk-through of a very insecure one-way hash. Our algorithm will simply lookup the order of each letter in the alphabet and add that to a running sum. We’ll use the password ‘sesame’.

S 19
E 5
S 19
A 1
M 13
E 5
—————
Total: 62

So, if you give me the password and I get the “hash” of 62, I will store that for later. If you later give me a password and I calculate the hash of 62, I can be pretty sure it’s the same one you gave me last time.

Modern one-way hashes are much more secure than that silly example. Most sites use one called “md5” although others like ‘SHA1’ are probably more secure. For reference, the md5 of ‘sesame’ is ‘b3fba6554a22fdc16c8e28b173085ccc’. And there is zero chance I could go backwards from that to ‘sesame’.

So, that means that those pesky sites aren’t letting your password lie around. And the ones with lists aren’t either: they have a list of your past 10 hashes and they check your password against all of them. They are irritating, but there isn’t a risk of others learning your password from what they store (reading it on the wire is another matter).

Now: why do they make you go through the “tough password” game? Well, lets say that someone actually did break into the site and get a list of all of those hashes? What could they do with them? You can’t go from the hash to the password… but you CAN test words against them! Welcome to the world of the “dictionary attack”. This is where jerks take every word in English and check it against the list of hashes! Then they try common non-word passwords (“P@$$WORD”, “password123”, “abcd1234’, etc.). They can check each one against every entry in the list and eventually they will find someone with a dumb password like ‘sesame’. And hence you have a breach. And computers are VERY good at running through massive dictionary attacks very quickly.

What are we to do? Well – choose good passwords. Non-trivial ones that are easy to remember. Pick a song lyric and take the first letter from each word with a number and special character thrown in (see if you can guess “AlAaTlP&”) . Or, if you’re a touch typist, make it your normal password with your hands shifted up one row (‘sesame’ -> ‘w3wqj3′). Find a phonetic password generator and keep playing until you find one that’s catch – I used one for years. http://tools.arantius.com/password

Finally, know which things to stress about. For example:

They want long passwords that aren’t words – GOOD

They want you to change it fairly often – OK: it protects you from certain attacks
They don’t let you repeat passwords – FINE: it doesn’t help or hurt
They don’t let you use SIMILAR passwords – RUN AWAY! Remember, hashes shouldn’t let them know about similarity, so this means they are storing your password
They send password reset links by email – SO SO: it implies email is safe which it isn’t, but it’s pretty common.
They send PASSWORDS by email – NOPE: again, they shouldn’t store your password.

If you want to learn more, I recommend Bruce Schneier’s Applied Cryptography – a GREAT book that is very easy reading (for the first few chapters) and that will open your eyes. Or, take a computer security class from MIT (Open Courseware).

Anyhoo – I hope you had a great weekend, and I look forward to your next Speech Rant :-)

Bill

]]>Comment on Stop With the “Change Your Password” Ritual by dukeicelandhttps://speechdudes.wordpress.com/2015/02/21/stop-with-the-change-your-password-ritual/#comment-2648
Sat, 21 Feb 2015 17:10:56 +0000http://speechdudes.wordpress.com/?p=1958#comment-2648Here’s a great video from singer, Christine Lavin, called “The Password Song.” Well worth a listen ;)
]]>Comment on Small Object of Desire: The Monteverde Invincia Stylus fountain pen – and Keyword Vocabulary by SLP Corner: 28 Words to Boost Your Client’s Vocabulary | PediaStaff Pediatric SLP, OT and PT Bloghttps://speechdudes.wordpress.com/2013/01/27/small-object-of-desire-the-monteverde-invicia-stylus-fountain-pen-and-keyword-vocabulary/#comment-2646
Tue, 17 Feb 2015 20:00:32 +0000http://speechdudes.wordpress.com/?p=1210#comment-2646[…] core and fringe – and an introduction to keyword vocabulary – check out my article entitled Small Object of Desire: The Monteverde Invincia Stylus fountain pen – and Keyword Vocabulary from two years […]
]]>Comment on Valentine’s? President’s? Whose Day IS It? by Etymanhttps://speechdudes.wordpress.com/2015/02/12/valentines-presidents-whose-day-is-it/#comment-2639
Thu, 12 Feb 2015 15:57:16 +0000http://speechdudes.wordpress.com/?p=1965#comment-2639Ah, I need to pay more attention if I want to succeed more often! Using succeeding is indeed correct and I’ll make a change and mark it – I do so hate to revise my errors without being transparent ;)
]]>Comment on Valentine’s? President’s? Whose Day IS It? by Etymanhttps://speechdudes.wordpress.com/2015/02/12/valentines-presidents-whose-day-is-it/#comment-2638
Thu, 12 Feb 2015 15:55:29 +0000http://speechdudes.wordpress.com/?p=1965#comment-2638I stand corrected. Being an “import” from the UK, I’m still having to learn an entirely new “history.” My knowledge of US Presidents it probably as limited as most American’s knowledge of the Kings and Queens of England – and worse that the Prime Ministers!
]]>Comment on Valentine’s? President’s? Whose Day IS It? by Trishhttps://speechdudes.wordpress.com/2015/02/12/valentines-presidents-whose-day-is-it/#comment-2637
Thu, 12 Feb 2015 15:49:28 +0000http://speechdudes.wordpress.com/?p=1965#comment-2637Also, Lincoln’s actual birthday is February 12, not February 17. Happpy Lincoln’s birthday!
]]>Comment on Valentine’s? President’s? Whose Day IS It? by Trishhttps://speechdudes.wordpress.com/2015/02/12/valentines-presidents-whose-day-is-it/#comment-2636
Thu, 12 Feb 2015 15:33:04 +0000http://speechdudes.wordpress.com/?p=1965#comment-2636“Well, it’s because one of the accepted norms for using an apostrophe is that you use it before a final “s” to indicate the notion of possession; the idea that the preceding noun belongs to the apostrophized thing.” Wouldn’t it be more accurate to say the “succeeding” noun belongs to the apostrophized thing, since the noun follows the apostrophe? “Day” follows “St. Valentine’s”. Otherwise…great post!
]]>